Meeting of K-PACK, February 2, 1996 Harry Paxton is in the S. Pacific. He left us a list of at least 15 fax numbers over the next few weeks. Since this is going to be transcribed, maybe the best thing to do is to proceed so we at least have some voice record with a name. Paul Karol, Chairman of Committee David Banks, Statistics Department Bob Kraut, Social and decision sciences Linda Argote, GSIA Ed Clarke, Computer Science [CM:] David, you had asked whether there were any unusual protocols and things like that, and since I said not really, but one that we probably will follow is there may be a tendency for you to ask us why we are asking you certain questions. And the odds are overwhelming that we won't answer that. [DB:] I see. [CM:] That's not a procedure, it's just a group of crummy statement as to ... [DB:] I understand that there are some things you can't tell me, and I guess I ought to go on record to say that I would like access to all the information that is appropriate for me to have. [CM:] Okay. With that we really certainly want to start, maybe even loosen things up by giving you a chance to talk a little bit and maybe address as a question, "What's your opinion of the involvement of others in this situation?" [DB:] Well, quite candidly, I think Marvin Sirbu made a number of major mistakes. I think Rimm acted in ways that amplified those mistakes and perhaps sort of laid the ground work for them. I know nothing about Ed Zuckerman's direct involvement except he was in, I think , two of the four meetings that we had and possibly attended half of another one I'm trying to... it's been a very long time. But he was quiet in virtually all the meetings. I don't recall any statement that appears on any of the charges that I have heard made here directly. To the best of my knowledge, I have never met John Meyers, and I agree those are all of the respondents that have been named so far. [CM:] Feel free to ... There is, of course, a bit of discussion of exchanges about George Duncan's role in trying to discuss the anonymization data. I guess I would like to amplify or have you amplify that a little bit. We've read the e-mail that you have provided us, and what I'm unclear about is how much further is George Duncan involved in this and could you sense the extent to which he was concerned about the anonymization issue, and convey that concern. [DB:] Yes, I will try. [CM:] Who initiated the suggestion to talk to ... [DB:] Yes, sure. I think most of that is in the write-up that I gave you, and I'll start at the beginning and go through to the end on that. One small thing I want to suggest is that I would feel much more comfortable if we worked through, perhaps not in direct order but, all of the charges that were made in the person of the Committee of Inquiry. [CM:] Good. Okay. [DB:] Regarding the George Duncan stuff, I went to, I think it was the third meeting with Sirbu and Rimm, and although I can't swear, I do not think Zuckerman was there, but you'll have to ask Zuckerman for that directly. Sirbu and Rimm came in very happy and upbeat in congratulating each other. They told me that Sirbu had gotten a clue as to how the AMS dot? profile files were organized, or their existence, or something like that, and realized that that would give them a handle on accessing student and faculty and staff bulletin board usage, and he instructed Rimm to go out and gather all that. Rimm had done so and apparently he had just reported, immediately before I arrived to the meeting, that he had successfully captured all of that. I was started. I asked if this was legal and Sirbu assured me that it was, and said that the little disclaimer that appears in the front of the computer screen when you log into the Andrew system, that actions on this system are subject to monitoring, etc. constituted warning that this was open space, and he quoted part of the Privacy Act to me quick, so apparently he was familiar with from, I don't know where, perhaps his visa work. And he said it was legal. I asked if it was ethical for us to have it, and he explained that what one watches in a public place is appropriate and that if you were a sociologist you could go out and sit on a street corner and count how many people jaywalk and that's not unethical. I was not coping with this and I suggested that we should get the advice of George Duncan because George is cross in my department and somebody I know well. I trust his judgment and he would also be, at least he was, I thin k he is in the chair of the National Academy of Sciences Committee on Database Security, Confidentiality, and Privacy. Something like that and I may have the titles or the organization mixed up, but it is something of that kind. So, he was the person I thought of immediately as the ultimate arbiter on this type of stuff. And I guess I did not feel comfortable with Sirbu's justification for doing this, but he knew a lot more about the law in this area that I do, and I didn't want to challenge him directly in what was a friendly meeting, so I didn't say, you're wrong, you're lying, that's not right. I just wanted to get another opinion. Sirbu said that that was not necessary and he did not want to enlarge the circle of people who knew of the AMS dot? profile capture. They didn't ask me whether or not one could make statistical inferences on usage rates from one capture, or whether it would be better to capture it in two time points and be able to see how many people accessed, once a week say, if you captured them a week apart and you could find out how many people were on the original list, how many people were on the second list, and by comparing the dates of the last access determine that. And I said one could do an analysis of usage rates based on a single capture, but it would probably be Baysien and subject to skepticism or criticism. [CM:] You're getting into a lot of detail. Let's get back to George Duncan. [DB:] Alright... George Duncan. Sirbu and Rimm decided they did not want to bring George Duncan into this. The discussion at that meeting moved on, the topic turned to funding; Rim was perennially short of funds and needed money. By a, this discussion of several possible ways of getting funds -- I think a similar discussion occurred at another meeting a well that Zuckerman did attend, and it was suggested that the Heinz school, Al Blumstein's attempt to get money for the longitudinal study of crime, was one possible group that might be interested in pornographic criminality and that touching base with them would be good to do. So we left it there. The meeting ended. I walked back to Baker Hall with Rimm. We were meeting at Sirbu's place over at the INI. On the way back, I suggested that perhaps Rimm and I should speak to George Duncan, with an idea of finding out about possible finding through Heinz and also that this would be a good opportunity to get his opinions on the privacy issues and how to best keep the data secure. Rimm agreed. I think he was looking at it as a way of checking out finds, and I was looking at it as a way of getting George Duncan involved in this. I got back to my office and I called George to try ad set up an appointment and he agreed. It was a little bit further off than I wanted. I think it was something like November 12. I have my book here if you want a date. No. Okay. On the phone, I briefed George as to what had gone on, and he said it was certainly a problem and he would be happy to meet with us and he would be with us in about a week and a half later. I brought Rimm ... I contacted George as well, asking for a time, and I think g a time was fixed by all three of us. I forget exactly how that cycled through. When we met, I described the problem. I described Sirbu's view of the legality of grabbing it. George mentioned, he had talked about how the system is wide open, people act as if they are private when, in fact, they aren't and they are very foolish to do that. And he did not say anything about destroying the database that had been captured. He said it was important to anonymize it. He also indicated that there was ethical obligation to notify the administration about this hole in the Andrew system. The second recommendation was much weaker and more casual that the first and, in fact, George had forgotten about that until I reminded him after all this started in July that he had made a second suggestion as well. We talked about what would be involved in the anonymization of the data and it was not a trivial task, as I understand it. I do not know; I have not seen the filed, so I do not know exactly how hard that is to do. But the estimates I had were something on the order of 40 to 80 hours of somebody's time to go through the entire thing and delete all the names out. I gather it's not in standard format that you can just write a macro that will go through the entire thing and delete the names out. I gather it is not in a standard format that you can just write a macro that will go through and delete every second line. it's more complicated than that. Rimm stated that he did not have time to anonymize it immediately, but he might be able to do it this summer. George said that waiting for the summer would make him nervous, and he would encourage us to try and do it more rapidly than that. I said that I was teaching a class in Categorical Data in the spring semester. I asked Rimm what type of resources are needed to anonymize the database. How big a problem is it? How much would be have to pay somebody? And Rimm replied that all it would take would be course credit for an undergraduate course in independent study and that we could get one of his helpers to do it under that framework. I said that there ought to be an educational component to the whole categorical framework, and that if the student were to audit my Categorical Data class then this could be a project that they would do and it would count as an independent study. Rimm suggested that Ted would be the right person for this. I said I need to meet Ted, but in principle that sounds like a way to proceed. George Duncan said that that seemed sufficiently fast to him, and I believe that was essentially all the conversation. [CM:] Anything happen after that? [DB:] Yes, well, I was surprised that George did not instruct us to destroy the database. And I mentioned this to John Lehoczky afterwards. And John told me that, you know, that George is the expert and if you do what George says, that's good. so that's where we stood. So in particular, he wasn't familiar with the sections from the Faculty Handbook that deal with computer privacy. [?:] George Duncan said nothing to suggest that there would be anything in the Faculty Handbook that would bare on this. [CM:] Was there any subsequent input or comments from George when the crime story broke that would refresh his mind if you brought this up? [DB:] George sent me e-mail shortly after he was contacts by Paul Christiano an the first e-mail asked me to remind him of what had been agreed at the meeting, and I told him two things: anonymize the database and notify the administration and that was it. He was also interviewed in Walking Wire shortly before that and he had said in that interview that CMU had an open system and so that there was no problem here. And he subsequently sent me e-mail saying that he had been misquoted and that was not what he said and I don't ... George's role in this seems to be tricky. I don't understand why he was on the first committee and I don't understand exactly what type of advice he was giving. The stuff that he said that he was reported to have said in the Wire interview agreed with the stuff that he told us in our meetings. But that's something that he ... I don't know. [CM:] It seems to me that throughout this discussion figuring out who's responsible for what is an issue of what's the relationship between different kinds of students and their faculty advisors. And I guess I was wondering if you could describe more qualitatively for us what was your academic kind of relationship with Rimm? [unclear] advisor and what kind of relationship; who are you? [DB:] Well, that is one of the mistakes I think that the first Committee of Inquiry made. And by the way I hope you will check this. It's something I ask you. Have you determined whether or not I'm officially listed as the SURG advisor? [CM:] To the extent that I obtained a copy of the SURG proposal and your name is listed on that proposal as the advisor. [DB:] Have you checked ... when I called the SURG Office and asked if I was ever officially them, they said "no, you have never been on our records as any SURG advisor." [?:] Which is an interesting conflict itself. Right. Yes. Still on record. In one of the letters listed that we obtained, one of the grant applications that we obtained listed Zuckerman as the advisor. And, the other one has advisor ... [multiple voices; no clear finish to sentence] [DB:] I wrote a letter of recommendation, the story that I -- I don't know which order to take all this in. The ... now, gosh. Let me go back to the beginning which is your question and maybe that will the natural way to segue through all this. In July of 1994, one of our graduate students brought Martin Rimm to my office and said, "This guy's in my class. He's been asking problems about a project he's working on," and I do consulting, "so maybe you could give him some ideas." I said, "Sure." Rimm came in, told me about his work. and said that he was working with Ed Zuckerman and described the types of statistical problems that he was encountering. And I said I would be happy to -- hope I need to talk with Ed Zuckerman to make certain that I give you the right type of advice and that we're of one mind on the direction of the project. And that's pretty much the way I handle all undergraduate consulting stuff and actually a lot of graduate consulting stuff, too. I tried to phone Ed and wasn't successful. Ed wasn't around and it was about a week and half before Ed ever got back to me. But I went ahead and I talked with Rimm and there I saw myself as just a guy in the Statistics Department who gives advice to whoever comes in and has a problem. After a couple of weeks, and I don't have a good time sense on this, but I think it was after I returned from the ASA meeting, which would put it in mid-late August, Rimm told me that he though he could work well with me and hoped that I would be his advisor, that Ed Zuckerman had been the advisor because the clock was running and he needed to find a faculty member, but Ed was an adjunct professor and was not plugged into the community, and I said I can't do that type of thing, it's Ed's job and if Ed wants me to take over, fine. I guess I'd be willing to do that, but I'm not going to make a deal with this with you. A few days later I got a call from Ed Zuckerman saying that he'd be delighted if a regular faculty member took over on this. But I think Ed was actually taking a new job at the time and he indicated that he was very busy and he would regard this as a favor if I would do that. So I said īSure, in principle I agree we need to have a meeting between me and you and martin to arrange a transfer of custody and understand who has what responsibilities.' Agreed that such a meeting would take place and by this time it was early September and the actual meeting took place in about the last week of September. In the process of scheduling that meeting, Rimm indicated that we ought to invite Sirbu as well because he has been talking with Sirbu about the project for quite a while in the Spring and that he has been involved and it was good to have him. So I invited Sirbu to the meeting and Sirbu agreed, but for scheduling reasons felt it was better to hold it over at the INI, and so we all went over there to meet. And in that meeting there was no discussion of transfer of custody at all. Sirbu had a list of points that he wanted to discuss and he had an agenda, and, just he sort of ... we ran the meeting that way. And a few days later, in fact, I think it must have ... a few days later, Rimm told me that he actually preferred to have Sirbu as his advisor rather than me, so the transfer of custody took place between Zuckerman and Sirbu, and I was not in the loop on that. I did agree to teach an independent study course to Rimm in which we would do the statistics involved in his paper, and I vowed that as being like a senior thesis that happens in H&SS where I have worked with [the college? unclear] on these people before. Seniors have usually a two- semester project which is to write a paper and then that's how the independent study is done. At the time I agreed, I had though Rimm was going to be my advisee on the SURG project and so that seemed like a very natural way to formalize the relationship. When he withdrew and switched to Sirbu, I was not happy about this because I had not heard of Sirbu's involvement, but it seemed to me that I ought not to stop the independent study course at that time because the add/drop date had passed and I had agreed to do it, and there was honest intellectual work to be done there, so my sense as a person teaching an independent study as a teacher, I had more than the usual responsibility for a student than I have for somebody who just comes to my office and asks a question. So I have a certainly more responsible than a generic statistical consultant. In what follows, Sirbu to my mind was the graduate director of the project and I guess the best analogy I can make is to a situation in which somebody has a graduate student who needs some statistical help, sends them to me, I give me best advice and I relay that back to the both of them. He's not a graduate student due to special circumstances, but that's the type of feel I had for him. And certainly this is what both Sirbu and Rimm sort of expressed to me as their opinions when Sirbu came to speak with John Lehoczky and myself about all the ethical concerns I had in the management of my project. Sirbu spoke as the advisor in charge ofd the project - this is what he was doing. Rimm sent me e-mail, which I don't think I saved, unfortunately, but there was a lot of e-mail that I didn't save and so this could be twice as thick as quick if I had. [?:] Comment from committee member. CM[?:] Well, I hate to tell you this Dave, but probably much of it could be reconstructed if you asked the Statistics department's administrator to mount the backup tapes for the moments in question here. I mean, a lot of it perhaps could be recovered.. But Rimm told me that in his minds that I had done less that 5 percent of the contribution to the project, and that he and Sirbu had the lion's share and that my quibbling about stuff was inappropriate. And that was in one of the ore charged letters that occurred at the end of November when we were unhappy with each other. [DB:] So that's my general senses as to where I was involved. After November, of course, they wouldn't meet with me, return e-mail, return phone calls until John Lehoczky pressured Sirbu into a meeting and then they still didn't meet with me, return phone calls, or do anything until after spring break when Rimm actually wanted money from the DoJ. so there was this long period when I was out of it. When I returned in, I'll have to look at it, it was I think April, the explicit agreement was that I was not involved in this paper anymore. I was willing to work on an attempt to get funding to do research with the DoJ, but I had given them, you know, second to last chances, last chances, last chances after last chances, and I wasn't going to get back into that nest. So that's sort of where I was in all of this. And that led to other questions, and I'm trying to remember what the thread of the whole thing was. [CM:] This was on ... right. [?:] I'm satisfied with it. Okay. And then that led to, there were two questions that I'm going to try to segue into that was sparked by your comment or Paul's? [DB:] No, no. I have one backed up -- I don't want to confuse a point. It is specifically the issue of whether you were advisor on the SURG grants and, in particular, your goal in the resulting November.... [CM:] Oh, yes. I do have questions about that. [DB:] Okay. Actually, I should say I don't know why the first Committee of Inquiry thought I was the SURG advisor. The letter of recommendation, I see that, but that was the point I wanted to pick up. I was very much like I've got, oh, that's not my signature, never saw this piece of paper, had nothing to do with it. [CM:] So this was just what Rimm filled ... this is Rimm's writing? Is that his handwriting? [DB:] I believe that it is although I don't have actually any handwritten copy from Rimm anymore. I don't have any hard copy with his handwriting on it. [CM:] But you did write a letter ... [DB:] Of recommendation. [CM:] ... no, a letter requesting, yes, I guess you could call it a letter of recommendation to the SURG proposal evaluators requesting money for a venture. [DB:] Yes, that is mine. The situation on that was in one of our weekly meetings, Rimm, who was perennially short of funds for this project, came in and said that Barbara Lazarus had told him that there was a little extra SURG money floating around. I, by the way, had only thought that he had one SURG grant. I was not aware that Barbara Lazarus was married to Marvin Sirbu and didn't find our about that until the end of November, when things were getting complicated. In this particular case, Rimm came to my office during our weekly meeting; he said that he had been told that there was extra money left in the SURG budget and that Barbara Lazarus had invited him to apply for a residual from that, and that he needed a letter of recommendation to do so. And I said I'd be happy to write a letter saying that this is a worthwhile project that needs money, and, in fact, I think the particular purpose of this money was to protect the security of the data that has been given to Rimm by the sysop. [CM:] Is that what it says? [DB:] That's not the case. [CM:] Okay, what does it say. [DB:] It's to request money for ... [CM:] a stand alone computer type thing. [DB:] No, it's to, I think it's to ... from acquiring storing and tabulating usage records from the six largest commercial pornographic bulletin board in the U.S. In other words, it seemed to me that it included perhaps money for subscribing to this bulletin board, as well. Okay. The ... right ... let me read the wording. Well, actually, let me tell you what I think first, and then we can see if it actually matches what I had written. There was no need to spend money to acquire that because that has been apparently given freely to Rimm by the sysop. Rimm felt that it, while it was clearly high secured data and I had given ... [CM:] Is this the same bulletin board that is described throughout the e-mail messages that we received, or is this another bulletin board? One was referred to repeatedly. I thought this was a different one that you wanted access to. [DB:] No. [CM:] I'm not sure that question was very clear. [DB:] There are three data sets that ought to have been referred to repeatedly in the e-mail. The one that this one corresponds to is the data that a very foolish sysop had apparently freely given to Rimm to analyze with the understanding that Rimm would tell them marketing habits of his customers and that was the quid pro quo. Rimm told me that he had asked the guy to anonymize the data first and the guy said that he didn't have time, but that he would trust Rimm to keep it secure. Rimm felt that keeping it on the Andrew system was insecure and that he wanted this residual money from the SURG grant to allow him to have a PC or some sort of stand alone device that was not connected to anything else to hold on to that data. That would handle the tabulation and the analysis and the protection of this secured data. There should have been no statement to get to this within the acq